Privacy & Security The HHS Rule is Out What s New and What s Next. Mary Jo Carden, RPh, JD Director, Regulatory Affairs AMCP mcarden@amcp.

Transcription

1 Privacy & Security The HHS Rule is Out What s New and What s Next Mary Jo Carden, RPh, JD Director, Regulatory Affairs AMCP mcarden@amcp.org

2 Disclosure Mary Jo Carden is an employee of the Academy of Managed Care Pharmacy. The conflict of interest was resolved by peer review of the slide content. She declares no other conflicts of interest or financial interest in any product or service menmoned in this program, including grants, employment, gins, stock holdings, and honoraria. ASAP s and NCPA s educamon staff declares no conflicts of interest or financial interest in any product or service menmoned in this program, including grants, employment, gins, stock holdings, and honoraria.

3 Learning ObjecMves Following this presenta0on, a2endees should be able to: 1 IdenMfy key issues from the federal privacy and security rules applicable to business associates. 2 Explain the elements of nomce of privacy pracmces (NPPs) that must be updated. 3 State the new definimons for business associates. 4 List the elements of new business associate agreements and compliance deadlines 5 IdenMfy compliance Mps for the privacy and security rules.

4 Important Dates & Compliance Issues Compliance with final HITECH rule required by September 23, 2013 Includes privacy and security rules Covered enmmes must update nomce of privacy pracmces (NPPs) HHS sample NPP available: h^p:// coveredenmmes/nomce.pdf Use as sample but modify

5 NPP Updates Must Include Changes to privacy and security rules NoMce of procedures for data breach and nomficamon Provisions for uses of informamon for markemng when specific authorizamon not required Outline of uses for markemng that includes specific authorizamon NoMce of ability to request restricmons NoMce of ability to receive copies of records

6 Important Dates & Compliance Issues Business Associate Agreements (BAAs) Compliance by September 23, 2013 BAAs executed on or aner January 25, 2013 or Executed prior to January 25, 2103 and either not in compliance with pre- HITECH rules, or renewed or modified between March 26, 2013 and September 26, 2103 Compliance by September 22, 2014 BAAs renewed or modified between September 23, 2013 and September 22, 2014 BAAs executed prior to January 25, 2013 that comply with pre- HITECH rules and are not renewed or otherwise modified between March 26, 2013 and September 22, 2104 Sample BAA h^p:// coveredenmmes/contractprov.html

7 Key Provisions Privacy: HIPAA v HITECH Rule New requirements for BAs and BAAs Breach nomficamon MarkeMng guidance PaMent requested restricmons to access PaMent electronic access to informamon AccounMng for disclosures NPP PenalMes and accounmng

8 Remember HIPAA? Good faith acknowledgement of NPP Use and disclosure of protected health informamon for treatment, payment, and operamons Other uses require pament authorizamon PaMents may access, copy and amend files AccounMng of disclosures

9 This is HITECH!

10 Expanded DefiniMon of BA Now covered directly subject to audits and fines Includes Health informamon organizamon E- prescribing gateway Any other enmty or person that transmits or provides data services and has roumne access to PHI Person who offers personal health record to one or more individuals on behalf of a CE Subcontractors of BAs

11 What s Required of BAs? Provisions Applicable to BAs Security rules Privacy provisions, must be incorporated into BA contract May not use or disclose PHI except as permi2ed by Privacy or Enforcement Rule May not use or disclose if viola0ons of Privacy Rule Provisions that do not obligate BAs NPPs unless required by contract Administra0ve requirements Appoin0ng a privacy officer Mi0ga0on of breaches Documenta0on Individual rights to access PHI or restrict disclosure except for informa0on to PHI if BAA provides

12 Breach NoMficaMon Unsecured access to PHI* Applies to electronic, hard copy, and oral informamon AcquisiMon, access, use or disclosure of PHI in a manner not permi^ed under HIPAA privacy rule Compromises privacy or security of PHI* *Must apply an excepmons analysis

13 Three excepmons Breach NoMficaMon UnintenMonal access, acquisimon or use by workforce member under authority of CE or BA if Made in good faith and scope of authority Does not result in further impermissible uses or disclosures Inadvertent disclosure by person authorized by CE or BA to access PHI pursuant to an agreement with a CE Does not result in further impermissible uses or disclosures Disclosure where CE has good faith believe that person would not reasonably retain informamon

14 Breach Assessment CEs and BAs must conduct breach risk assessment and determine whether nomficamon required PresumpMon of breach unless ExcepMon applies Low probability of PHI compromise Nature and extent of PHI involved Unauthorized person who used PHI or to whom the disclosure was made Whether PHI actually acquired or viewed Extent of risk mimgamon

15 Breach NoMficaMon: Timing & Methods First day known to employee, officer, or agent or reasonably should have known Reasonable diligence Provided without unreasonable delay to individual but not more than 60 days Methods First class mail to last known address or by if specified and By phone if urgent SubsMtute nomce in certain cases

16 Breach NoMce to HHS >500 affected individuals must report immediately <500 affected individuals must report annually within 60 days of year end Maintain documentamon for 6 years HHS breach repormng website h^p:// breachnomficamonrule/brinstrucmon.html

17 Protocol to Prevent & Report Breaches Must have updated data breach policies and breach response plans Included in BAAs, NPP, and other contractual agreements Include risk assessment tools Employee training Review reported breaches in a Mmely manner and document

18 MarkeMng CommunicaMon that encourages purchase or use of products or services Requires specific authoriza8on for all subsidized treatment or health opera8on communica8ons

19 MarkeMng: HHS September 2013 Guidance Permi2ed without authoriza0on Refill reminders Generic equivalents Lapsed rx within 90 days Adherence Self- administered drugs Not permi2ed Specific new formula0ons Specific adjunc0ve therapy Communica0ons involving switches Remuneration Non-financial, in-kind Permitted to CE if does not exceed reasonable costs Permitted to BA if reflects fair market value HHS FAQs

20 Sale of PHI Specific authorizamon required if CE or BA directly or indirectly receives remuneramon from or on behalf of the recipient CE or BA is being compensated, including non- financial remuneramon ExcepMons Public health Research Treatment or payment Sales, transfer, or merger BA regular acmvimes To individual Required by law/under privacy rule

21 PaMent- Requested RestricMons to Access CEs and providers must comply with request if Purpose if for payment or operamons, not treatment PHI pertains solely to health care items or service paid out of pocket in full; and Disclosure not otherwise required by law (ex PDMPs) Allowed to make requests for payments in cases of bounced checks, etc Impalement policies an procedures Electronic systems should be designed to flag data subject to restricmons

22 Right to Individual Records Individuals have a right to copy or designate informamon in electronic format from any CE or BA that uses or maintains a designated record set for PHI Form must be readily producible Must ensure security of transmission, such as secure Individuals have the right to a paper copy of PHI Request must be in wrimng, signed by the individuals, and clearly idenmfy the designated person and where to send the informamon Electronic request meets in wrimng definimon EnMMes may not impose a fee that exceeds labor costs Must fulfill requested within 30 days

23 AccounMng of Disclosures Proposed rule in May 2011 No final rule! HIPAA requires accounmng of non- roumne TPO HITECH requires accounmng of all disclosures in previous 3 years made through electronic health record Office of the NaMonal Coordinator exploring issue

24 How to comply Must follow the provisions of the Security Rule Physical, technical, and administramve safeguards Policies and procedures Must conduct a risk analysis HHS recently developed guidance on procedures for remote access Use guidance from NaMonal InsMtute of Standards and Technology (NIST) for electronic security issues HHS resources on Security Rule h^p:// securityruleguidance.html

25 Implement BAAs How to comply Enforcement provisions will apply with or without a BAA CEs must evaluate vendors and service providers BA must assess reslamonsh8iops with subcontractors Develop compliance plans Ensure incorporamon of new provisions Ensure plans for gaps Assume you will experience a breach! Need to efficacy of policies and procedures Implement pracmcal training and policies and procedures understandable to employees Review HHS audit protocol h^p:// enforcement/audit/protocol.html

26 PenalMes (For HITECH & HIPAA) Violation Category Each Violation All such violations of an identical provision per calendar year Did Not Know $100-50,000 $1,500,000 Reasonable Cause Willful Neglect Corrected Willful Neglect Not Corrected $1,000 50,000 $1,500,000 $10,000 50,000 $1,500,000 $50,000 $1,500,000

27 Keys for Enforcement ProacMve in addimon complaint driven Prepare for periodic audits Pilot in 2012: h^p:// enforcement/audit/hipaa_compliance- audit_print- friendly.pdf Nearly 20K invesmgamons and enforcement acmons against health care organizamons and BAs in 2012 No NPP Stolen laptops without proper security PosMng PHI on websites accessible to the public Access to USB drives or other electronic media